1. Field of the Invention
The present invention relates to a method and apparatus for providing simplified access to subscribers of a differentiated computer network. More particularly, the present invention relates to a method and apparatus for single step network logon based on a point to point communication link between the host computer and a server capable of providing both public domain connections and private service domain connections.
2. The Background
In order for a user to access a computer network, such as the Internet or a private Intranet network, the user must generally first dial-in or otherwise connect to a Network Access Server, or NAS. In most instances, the NASs are maintained by Internet Service Providers (ISPs) or Telephone Companies (TelCos) and are located at Network Access Points (NAPs). The NAS serves as the gate between the computer and the user. As a threshold matter, the NAS must authenticate the identity of the user/subscriber in order to ascertain the nature and scope of the services that it will provide to the subscriber. This authentication process is of heightened importance when the network is differentiated into public areas, such as the Internet, that are generally accessible to all subscribers and private areas, such as a business's Intranet, that are accessible only to authorized subscribers.
The authentication procedure generally involves another server, herein referred to as an Authentication, Authorization and Accounting Server, or an AAA Server. The NAS is a client of the AAA Server and, accordingly, the AAA server has the capability to serve numerous client NASs simultaneously. The NAS and AAA server communicate with one another according to a standard Internet protocol, such as the Remote Authentication Dial-In User Service (RADIUS) protocol. The RADIUS Protocol is well known by those of ordinary skill in the art.
FIG. 1. is a schematic diagram of the computer network environment 10 involved in a standard subscriber logon process. In most instances, the subscriber 12 begins a session on the network by first launching a dial-in application on a personal computer or host 14. The dial-in application prompts the subscriber 12 to enter some form of user identification, commonly a user-name and a private password. Such information may also be stored in the host's memory and automatically provided by the host 14. Once the necessary information is provided, the dial-in application contacts a NAS 16, typically, via modem 18 and telephone line 20, and provides NAS 16 with the subscriber 12 or host 14 supplied identification information. The private password data is customarily encrypted using methods well-known by those of ordinary skill in the art. The NAS 16 then prepares and sends an “access request” packet to AAA server 22. The access request packet contains the data supplied by the host 14, as well as additional data identifying the particular NAS 16 client from which the packet was sent.
The AAA server 22 contains a large database 24 of stored information pertaining to the accounts of each subscriber, including user-names, encrypted passwords and configuration information related to the types of services that are authorized to be provided to the subscriber. When AAA server 22 receives an access request packet from an authorized NAS 16 client, it consults the corresponding database 24 of user profiles to locate the account entry for the subscriber 12 identified by the information contained in the access request packet. The account entry will often specify certain requirements that must be met in order for the subscriber 12 to gain access to the network 10, including information on the clients and ports throughout the network that the subscriber 12 is allowed to access. A paramount requirement is that the password entered by the user match the password specified in the account entry on the AAA database 24. If the passwords match, and all other requirements are met, then AAA server 22 sends NAS 16 an “access accept” packet in response. The access accept packet contains configuration data that enables NAS 16 to provide the desired service to the subscriber 12. Once access is granted to the subscriber 12 a connection to the network, in this instance the Internet 26, can be established.
If any requirement is not met, for example, if the passwords do not match, then AAA server 22 responds with an “access-reject” packet indicating that the user request is invalid. The access-reject packet may also contain text messages that may be delivered to the subscriber 12 via NAS 16. As an alternate option, even if all requirements are met, AAA server 22 may still deny immediate access to the user and instead issue an “access-challenge” packet that will effectively prompt the user for new or additional information before access is granted.
A complication of the scheme detailed in FIG. 1 arises when the network environment contains private areas whose access is regulated by an additional server or gateway device, herein referred to as a Service Selection Gateway, or SSG server. FIG. 2 is a schematic diagram of the computer network environment 30 that includes a SSG server 32. Among many features of the SSG server 32, it serves to create multiple secure channels to private areas of the network for those subscribers authorized to use such private networks. In order to access the private domains, an authorized subscriber 34 must logon to the SSG server 32, as well as the corresponding NAS 36. The ability to access both the public domains and the private domains currently involves two separate logon procedures.
The dual logon procedure is initiated by the subscriber 34 launching on a host 38 the same dial-in application detailed in the discussion of FIG. 1. The subscriber 34 or host 38 will provide the necessary authorization and identification information. Once this information is provided, the dial-in application will contact NAS 36 and the information will be forwarded from the host 38 to NAS 36. The NAS 36 then communicates with AAA server 44 to authenticate and authorize public access to the subscriber 34. Once this process is completed, then the user must launch a separate and largely redundant “dashboard” application on the host 38 in order to gain access to the private domains gated by the SSG server 32. The subscriber 34 is again prompted by the dashboard application to input identification information. Once the necessary information is provided, the dashboard application contacts the SSG server 32 and provides the SSG server 32 with the subscriber supplied identification information. In much the same fashion as NAS 36 performs, the SSG server 32 prepares and sends an “access request” packet to AAA server 44. In this illustration AAA server 44 and the corresponding database 46 are the same AAA server 44 and database with which NAS 36 communicated. It is also possible to have individual AAA servers and/or databases in communication with NAS 36 and SSG server 32. Once AAA server 44 receives the access request packet from SSG server 32, it consults the corresponding database 46 to locate the service entry for the subscriber 34 identified by the information contained in the access request packet. If the passwords match, and all other requirements are met, then AAA server 44 sends SSG server 32 an “access accept” packet in response. Once access is granted to the subscriber 12 the subscriber is permitted to make connections with both public domains 48 and private domains 50.
The need for this two-step logon process is dictated by how the IP address is assigned. It would not be sufficient to simply pass the identification information from NAS 36 to SSG server 32 because SSG server 32 is incapable of sending information from the private domains without access to the dynamically assigned IP address of the subscriber. From the subscriber's perspective this two-step logon procedure is inefficient. It causes the subscriber time consuming delays in making a connection to a desired service and mandates that the subscriber use storage capacity for a largely redundant software application. The subscriber would benefit from having a one-step logon procedure that provides the necessary authorization and authentication for access to both public domains and private domains.
FIG. 3A illustrates an example of the current communication links, in terms of protocols, between the host 62, NAS 64 and SSG server 66. The initial connection 60 between the host 62 and NAS 64 can be established via Point to Point Protocol (PPP) or another similar protocol.
The Point-to-Point Protocol (PPP) is a data link protocol that provides dial up access over analog or digital transmission lines. PPP provides many advanced features, including error detection, support of multiple protocols, negotiation of IP addresses at connection time, and authentication. There are three main features of PPP. The first is that it provides a framing method to delineate the end of one frame and the beginning of the next one, in order to handle error detection. The second is a Link Control Protocol (LCP) for bringing lines up, testing them, negotiating options, and bringing them down again when they are no longer needed. The third is a manner to negotiate network layer options in a way independent of the network layer protocol to be used. Thus, the method chosen may have a different Network Control Protocol (NCP) for each network layer supported. PPP is characteristically used whenever there are only two endpoints to a link. Since there are only two endpoints in the PPP connection, there is no concept of routing involved. PPP is a standard protocol within the networking field and is well known by those of ordinary skill in the art.
Referring back to FIG. 3A, the second connection 68 between NAS 64 and SSG server 66 is commonly established via Internet Protocol (IP) over a fast ethernet connection. Thus, the overall connection 70 between host 62 and SSG server 66 is ostensibly seen as an IP routing link with no effective PPP session involved.
FIG. 3B illustrates a slightly more complex bridging model of current communication links encompassing IP transport over other media, such as Asymmetric Digital Subscriber Lines (ADSL) and/or Asynchronous Transfer Mode (ATM). The initial connection 80 or 82 between the host 84 and a router 86 which goes through the Digital Subscriber Line Access Multiplexer (DSLAM) 88 can be established by two distinct protocol stacks. A protocol stack is a list of the protocols used by various layers in the network. The first protocol stack 80 is created via a PPP over ATM over ADSL arrangement. PPP is stacked above the ATM, also at layer 2, between the host 84 and the router 86. Additionally, IP or other network layer protocols, commonly referred to as layer 3 protocols, such as IPX, can be transported over the PPP. The second protocol stack 82 is created via an IP (1483 bridging) over ATM over ADSL arrangement. In this instance, ADSL is incorporated at layer 1 between the host 84 and the DSLAM 88. ATM is stacked above ADSL at layer 2, between both the host 84 and the DSLAM 88 and the DSLAM 88 and the router 86. IP (1483 bridging) is stacked above the ATM. An ethernet frame, also at layer 2, is encapsulated within the ATM. A virtual LAN (Large Area Network) is formed between the host 84 and the router 86. Additionally, IP or other network layer protocols, commonly referred to as layer 3 protocols, such as IPX, can be transported over the Ethernet. The second connection 90 between the router 86 and SSG server 92 is commonly established via IP over fast ethernet. Thus, analogous to the simplified network configuration of FIG. 3A, the overall connection between the host 84 and SSG server 92 is ostensibly seen as an IP routing link with no effective PPP session involved.
The one-step logon process that the subscriber desires would benefit from having a new paradigm whereby the host has a direct PPP link to the SSG. Thus, a one-step logon based on PPP creates an efficient method for the subscriber to logon without introducing unnecessary routing and/or bridging. Additionally, all the benefits of having the full PPP link are realized, including: error detection, support of multiple protocols and negotiation of IP addresses at connection time.